23 Nov, 2016
1 commit
-
The hci_get_route() API is used to look up local HCI devices, however
so far it has been incapable of dealing with anything else than the
public address of HCI devices. This completely breaks with LE-only HCI
devices that do not come with a public address, but use a static
random address instead.This patch exteds the hci_get_route() API with a src_type parameter
that's used for comparing with the right address of each HCI device.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann
20 Dec, 2015
1 commit
-
Use list_for_each_entry*() instead of list_for_each*() to simplify
the code.Signed-off-by: Geliang Tang
Signed-off-by: Marcel Holtmann
06 Jun, 2015
1 commit
-
addr can be NULL and it should not be dereferenced before NULL checking.
Signed-off-by: Jaganath Kanakkassery
Signed-off-by: Marcel Holtmann
11 May, 2015
2 commits
-
In preparation for changing how struct net is refcounted
on kernel sockets pass the knowledge that we are creating
a kernel socket from sock_create_kern through to sk_alloc.Signed-off-by: "Eric W. Biederman"
Signed-off-by: David S. Miller -
This is long overdue, and is part of cleaning up how we allocate kernel
sockets that don't reference count struct net.Signed-off-by: "Eric W. Biederman"
Signed-off-by: David S. Miller
03 Mar, 2015
1 commit
-
After TIPC doesn't depend on iocb argument in its internal
implementations of sendmsg() and recvmsg() hooks defined in proto
structure, no any user is using iocb argument in them at all now.
Then we can drop the redundant iocb argument completely from kinds of
implementations of both sendmsg() and recvmsg() in the entire
networking stack.Cc: Christoph Hellwig
Suggested-by: Al Viro
Signed-off-by: Ying Xue
Signed-off-by: David S. Miller
24 Jan, 2015
1 commit
-
l2cap/rfcomm/sco_sock_accept() are wait loops which may acquire
sleeping locks. Since both wait loops and sleeping locks use
task_struct.state to sleep and wake, the nested sleeping locks
destroy the wait loop state.Use the newly-minted wait_woken() and DEFINE_WAIT_FUNC() for the
wait loop. DEFINE_WAIT_FUNC() allows an alternate wake function
to be specified; in this case, the predefined scheduler function,
woken_wake_function(). This wait construct ensures wakeups will
not be missed without requiring the wait loop to set the
task state before condition evaluation. How this works:CPU 0 | CPU 1
|
| is set?
| no
set |
|
wake_up_interruptible |
woken_wake_function |
set WQ_FLAG_WOKEN |
try_to_wake_up |
| wait_woken
| set TASK_INTERRUPTIBLE
| WQ_FLAG_WOKEN? yes
| set TASK_RUNNING
|
| - loop -
|
| is set?
| yes - exit wait loopFixes "do not call blocking ops when !TASK_RUNNING" warnings
in l2cap_sock_accept(), rfcomm_sock_accept() and sco_sock_accept().Signed-off-by: Peter Hurley
Signed-off-by: Johan Hedberg
12 Jan, 2015
1 commit
-
This adds an extra check for ensuring that the size of sockaddr_rc
does not grow larger than sockaddr.Signed-off-by: Marcel Holtmann
Signed-off-by: Johan Hedberg
21 Dec, 2014
1 commit
-
The RFCOMM_PSM constant is actually a duplicate. So remove it and
use the L2CAP_PSM_RFCOMM constant instead.Signed-off-by: Marcel Holtmann
Signed-off-by: Johan Hedberg
12 Dec, 2014
1 commit
-
Pull networking updates from David Miller:
1) New offloading infrastructure and example 'rocker' driver for
offloading of switching and routing to hardware.This work was done by a large group of dedicated individuals, not
limited to: Scott Feldman, Jiri Pirko, Thomas Graf, John Fastabend,
Jamal Hadi Salim, Andy Gospodarek, Florian Fainelli, Roopa Prabhu2) Start making the networking operate on IOV iterators instead of
modifying iov objects in-situ during transfers. Thanks to Al Viro
and Herbert Xu.3) A set of new netlink interfaces for the TIPC stack, from Richard
Alpe.4) Remove unnecessary looping during ipv6 routing lookups, from Martin
KaFai Lau.5) Add PAUSE frame generation support to gianfar driver, from Matei
Pavaluca.6) Allow for larger reordering levels in TCP, which are easily
achievable in the real world right now, from Eric Dumazet.7) Add a variable of napi_schedule that doesn't need to disable cpu
interrupts, from Eric Dumazet.8) Use a doubly linked list to optimize neigh_parms_release(), from
Nicolas Dichtel.9) Various enhancements to the kernel BPF verifier, and allow eBPF
programs to actually be attached to sockets. From Alexei
Starovoitov.10) Support TSO/LSO in sunvnet driver, from David L Stevens.
11) Allow controlling ECN usage via routing metrics, from Florian
Westphal.12) Remote checksum offload, from Tom Herbert.
13) Add split-header receive, BQL, and xmit_more support to amd-xgbe
driver, from Thomas Lendacky.14) Add MPLS support to openvswitch, from Simon Horman.
15) Support wildcard tunnel endpoints in ipv6 tunnels, from Steffen
Klassert.16) Do gro flushes on a per-device basis using a timer, from Eric
Dumazet. This tries to resolve the conflicting goals between the
desired handling of bulk vs. RPC-like traffic.17) Allow userspace to ask for the CPU upon what a packet was
received/steered, via SO_INCOMING_CPU. From Eric Dumazet.18) Limit GSO packets to half the current congestion window, from Eric
Dumazet.19) Add a generic helper so that all drivers set their RSS keys in a
consistent way, from Eric Dumazet.20) Add xmit_more support to enic driver, from Govindarajulu
Varadarajan.21) Add VLAN packet scheduler action, from Jiri Pirko.
22) Support configurable RSS hash functions via ethtool, from Eyal
Perry.* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1820 commits)
Fix race condition between vxlan_sock_add and vxlan_sock_release
net/macb: fix compilation warning for print_hex_dump() called with skb->mac_header
net/mlx4: Add support for A0 steering
net/mlx4: Refactor QUERY_PORT
net/mlx4_core: Add explicit error message when rule doesn't meet configuration
net/mlx4: Add A0 hybrid steering
net/mlx4: Add mlx4_bitmap zone allocator
net/mlx4: Add a check if there are too many reserved QPs
net/mlx4: Change QP allocation scheme
net/mlx4_core: Use tasklet for user-space CQ completion events
net/mlx4_core: Mask out host side virtualization features for guests
net/mlx4_en: Set csum level for encapsulated packets
be2net: Export tunnel offloads only when a VxLAN tunnel is created
gianfar: Fix dma check map error when DMA_API_DEBUG is enabled
cxgb4/csiostor: Don't use MASTER_MUST for fw_hello call
net: fec: only enable mdio interrupt before phy device link up
net: fec: clear all interrupt events to support i.MX6SX
net: fec: reset fep link status in suspend function
net: sock: fix access via invalid file descriptor
net: introduce helper macro for_each_cmsghdr
...
24 Nov, 2014
1 commit
-
Signed-off-by: Al Viro
04 Nov, 2014
2 commits
-
This patch fixes the following sparse warnings in rfcomm/core.c:
net/bluetooth/rfcomm/core.c:391:16: warning: dubious: x | !y
net/bluetooth/rfcomm/core.c:546:24: warning: dubious: x | !ySigned-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
rfcomm_run() is a tad broken in that is has a nested wait loop. One
cannot rely on p->state for the outer wait because the inner wait will
overwrite it.Fix this using the new wait_woken() facility.
Signed-off-by: Peter Zijlstra (Intel)
Cc: Peter Hurley
Cc: Alexander Holler
Cc: David S. Miller
Cc: Gustavo Padovan
Cc: Joe Perches
Cc: Johan Hedberg
Cc: Libor Pechacek
Cc: Linus Torvalds
Cc: Marcel Holtmann
Cc: Seung-Woo Kim
Cc: Vignesh Raman
Cc: linux-bluetooth@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Ingo Molnar
02 Nov, 2014
1 commit
-
The current kernel options do not make it clear which modules are for
Bluetooth Classic (BR/EDR) and which are for Bluetooth Low Energy (LE).To make it really clear, introduce BT_BREDR and BT_LE options with
proper dependencies into the different modules. Both new options
default to y to not create a regression with previous kernel config
files.Signed-off-by: Marcel Holtmann
Signed-off-by: Johan Hedberg
25 Oct, 2014
2 commits
-
Value returned by this macro might be used as bit value so it should
return either 0 or 1 to avoid possible bugs (similar to NSC bug)
when shifting it.Signed-off-by: Szymon Janc
Signed-off-by: Johan Hedberg -
rfcomm_send_nsc expects CR to be either 0 or 1 since it is later
passed to __mcc_type macro and shitfed. Unfortunatelly CR extracted
from received frame type was not sanitized and shifted value was passed
resulting in bogus response.Note: shifted value was also passed to other functions but was used
only in if satements so this bug appears only for NSC case.The CR bit in the value octet shall be set to the same value
as the CR bit in the type field octet of the not supported command
frame but the CR bit for NCS response should be set to 0 since it is
always a response.This was affecting TC_RFC_BV_25_C PTS qualification test.
Signed-off-by: Szymon Janc
Signed-off-by: Johan Hedberg
22 Jul, 2014
1 commit
-
The commits 08c30aca9e698faddebd34f81e1196295f9dc063 "Bluetooth: Remove
RFCOMM session refcnt" and 8ff52f7d04d9cc31f1e81dcf9a2ba6335ed34905
"Bluetooth: Return RFCOMM session ptrs to avoid freed session"
allow rfcomm_recv_ua and rfcomm_session_close to delete the session
(and free the corresponding socket) and propagate NULL session pointer
to the upper callers.Additional fix is required to terminate the loop in rfcomm_process_rx
function to avoid use of freed 'sk' memory.The issue is only reproducible with kernel option CONFIG_PAGE_POISONING
enabled making freed memory being changed and filled up with fixed char
value used to unmask use-after-free issues.Signed-off-by: Vignesh Raman
Signed-off-by: Vitaly Kuzmichev
Acked-by: Dean Jenkins
Signed-off-by: Marcel Holtmann
Cc: stable@vger.kernel.org
17 Jul, 2014
2 commits
-
We're interested in whether an authentication request is because of a
remote or local action. So far hci_conn_security() has been used both
for incoming and outgoing actions (e.g. RFCOMM or L2CAP connect
requests) so without some modifications it cannot know which peer is
responsible for requesting authentication.This patch adds a new "bool initiator" parameter to hci_conn_security()
to indicate which side is responsible for the request and updates the
current users to pass this information correspondingly.Signed-off-by: Johan Hedberg
Signed-off-by: Marcel Holtmann -
If the current process is exiting, lingering on socket close will make
it unkillable, so we should avoid it.Reproducer:
#include
#include#define BTPROTO_L2CAP 0
#define BTPROTO_SCO 2
#define BTPROTO_RFCOMM 3int main()
{
int fd;
struct linger ling;fd = socket(PF_BLUETOOTH, SOCK_STREAM, BTPROTO_RFCOMM);
//or: fd = socket(PF_BLUETOOTH, SOCK_DGRAM, BTPROTO_L2CAP);
//or: fd = socket(PF_BLUETOOTH, SOCK_SEQPACKET, BTPROTO_SCO);ling.l_onoff = 1;
ling.l_linger = 1000000000;
setsockopt(fd, SOL_SOCKET, SO_LINGER, &ling, sizeof(ling));return 0;
}Signed-off-by: Vladimir Davydov
Signed-off-by: Marcel Holtmann
Cc: stable@vger.kernel.org
30 May, 2014
1 commit
-
…etooth/bluetooth-next
Conflicts:
drivers/bluetooth/btusb.c
06 May, 2014
1 commit
-
Enabling CONFIG_DEBUG_ATOMIC_SLEEP has shown that some rfcomm functions
acquiring spinlocks call sleeping locks further in the chain. Converting
the offending spinlocks into mutexes makes sleeping safe.Signed-off-by: Libor Pechacek
Signed-off-by: Marcel Holtmann
12 Apr, 2014
1 commit
-
Several spots in the kernel perform a sequence like:
skb_queue_tail(&sk->s_receive_queue, skb);
sk->sk_data_ready(sk, skb->len);But at the moment we place the SKB onto the socket receive queue it
can be consumed and freed up. So this skb->len access is potentially
to freed up memory.Furthermore, the skb->len can be modified by the consumer so it is
possible that the value isn't accurate.And finally, no actual implementation of this callback actually uses
the length argument. And since nobody actually cared about it's
value, lots of call sites pass arbitrary values in such as '0' and
even '1'.So just remove the length argument from the callback, that way there
is no confusion whatsoever and all of these use-after-free cases get
fixed as a side effect.Based upon a patch by Eric Dumazet and his suggestion to audit this
issue tree-wide.Signed-off-by: David S. Miller
27 Mar, 2014
1 commit
-
We should let user space request the peer address also in the pending
connect states, i.e. BT_CONNECT and BT_CONNECT2. There is existing user
space code that tries to do this and will fail without extending the set
of allowed states for the peer address information.This patch adds the two states to the allowed ones in the L2CAP and
RFCOMM sock_getname functions, thereby preventing ENOTCONN from being
returned.Reported-by: Andrzej Kaczmarek
Signed-off-by: Johan Hedberg
Tested-by: Andrzej Kaczmarek
Signed-off-by: Marcel Holtmann
13 Mar, 2014
1 commit
-
The use of __constant_ has been unnecessary for quite awhile now.
Make these uses consistent with the rest of the kernel.
Signed-off-by: Joe Perches
Signed-off-by: Marcel Holtmann
21 Feb, 2014
1 commit
-
When binding RFCOMM socket with non-zero channel we're checking if
there is already any other socket which has the same channel number
assigned and then fail. This check does not consider situation where
we have another socket connected to remote device on given channel
number in which case we still should be able to bind local socket.This patch changes __rfcomm_get_sock_by_addr() to return only sockets
in either BT_BOUND or BT_LISTEN states, also name is updated to better
describe what this function does now.Signed-off-by: Andrzej Kaczmarek
Signed-off-by: Marcel Holtmann
15 Feb, 2014
15 commits
-
The skb truesize of a 12-byte payload with a 10-byte head/tail
reserve is 768 bytes. Consequently, even with 40 tx_credits, at
most 6 packets could be queued at any one time:40 tx_credits * 127-byte mtu < 768-byte truesize * 7
This error could also cause the tx queue to apparently stall if
credit flow control is disabled (where tx_credits is fixed at 5),
or if the receiver only granted a limited number of tx credits
(eg., less than 7).Instead, track the outstanding number of queued packets not yet sent
in wmem_alloc and allow for a maximum of 40 queued packets. Report
the space avail for a single write() as the mtu * number of packets
left before reaching the maximum.Signed-off-by: Peter Hurley
Tested-By: Alexander Holler
Signed-off-by: Marcel Holtmann -
Compute the amount of space available for a single write()
within rfcomm_room(); clamp to 0 for negative values. Note
this patch does not change the result of the computation.Report the amount of room returned in the debug printk.
Signed-off-by: Peter Hurley
Tested-By: Alexander Holler
Signed-off-by: Marcel Holtmann -
The tty driver api design prefers no-fail writes if the driver
write_room() method has previously indicated space is available
to accept writes. Since this is trivially possible for the
RFCOMM tty driver, do so.Introduce rfcomm_dlc_send_noerror(), which queues but does not
schedule the krfcomm thread if the dlc is not yet connected
(and thus does not error based on the connection state).
The mtu size test is also unnecessary since the caller already
chunks the written data into mtu size.Signed-off-by: Peter Hurley
Tested-By: Alexander Holler
Signed-off-by: Marcel Holtmann -
If rfcomm_dlc_open() fails, set tty into error state which returns
-EIO from reads and writes.Signed-off-by: Peter Hurley
Tested-By: Alexander Holler
Signed-off-by: Marcel Holtmann -
If RFCOMM tty device registration fails, cleanup by releasing
the tty_port reference to trigger rfcomm_dev destruction
(rather than open-coding it).The dlc reference release is moved into rfcomm_dev_add(),
which ensures cleanup in both error paths -- ie., if
__rfcomm_dev_add() fails or if tty_port_register_device() fails.Fixes releasing the module reference if device registration fails.
Signed-off-by: Peter Hurley
Tested-By: Alexander Holler
Signed-off-by: Marcel Holtmann -
Move rfcomm_dev allocation and initialization into new function,
__rfcomm_dev_add(), to simplify resource release in error handling.Signed-off-by: Peter Hurley
Tested-By: Alexander Holler
Signed-off-by: Marcel Holtmann -
At least two different race conditions exist with multiple concurrent
RFCOMMCREATEDEV and RFCOMMRELEASEDEV ioctls:
* Multiple concurrent RFCOMMCREATEDEVs with RFCOMM_REUSE_DLC can
mistakenly share the same DLC.
* RFCOMMRELEASEDEV can destruct the rfcomm_dev still being
constructed by RFCOMMCREATEDEV.Introduce rfcomm_ioctl_mutex to serialize these add/remove operations.
Signed-off-by: Peter Hurley
Tested-By: Alexander Holler
Signed-off-by: Marcel Holtmann -
Functions which search lists for matching id's are more
commonly named *_lookup, which is the convention in the
bluetooth core as well.Signed-off-by: Peter Hurley
Tested-By: Alexander Holler
Signed-off-by: Marcel Holtmann -
The RFCOMM tty device is parented to the acl link device when
the dlc state_change(BT_CONNECTED) notification is received.
However, if the dlc from the RFCOMM socket is being reused
(RFCOMM_REUSE_DLC is set), then the dlc may already be connected,
and no notification will occur.Instead, always parent the RFCOMM tty device to the acl link
device at registration time. If the acl link device is not available
(eg, because the dlc is not connected) then the tty will remain
unparented until the BT_CONNECTED notification is received.Fixes regression with ModemManager when the rfcomm device is
created with the flag RFCOMM_REUSE_DLC.Signed-off-by: Peter Hurley
Tested-By: Alexander Holler
Signed-off-by: Marcel Holtmann -
Accessing the results of hci_conn_hash_lookup_ba() is unsafe without
holding the hci_dev_lock() during the lookup. For example:CPU 0 | CPU 1
hci_conn_hash_lookup_ba | hci_conn_del
rcu_read_lock | hci_conn_hash_del
list_for_each_entry_rcu | list_del_rcu
if (.....) | synchronize_rcu
rcu_read_unlock |
| hci_conn_del_sysfs
| hci_dev_put
| hci_conn_put
| put_device (last reference)
| bt_link_release
| kfree(conn)
return p << just freed |Even if a hci_conn reference were taken (via hci_conn_get), would
not guarantee the lifetime of the sysfs device, but only safe
access to the in-memory structure.Ensure the hci_conn device stays valid while the rfcomm device
is reparented; rename rfcomm_get_device() to rfcomm_reparent_device()
and perform the reparenting within the function while holding the
hci_dev_lock.Signed-off-by: Peter Hurley
Tested-By: Alexander Holler
Signed-off-by: Marcel Holtmann -
If the RFCOMM session has not yet been started (ie., session is
still in BT_BOUND state) when a dlc is closed, directly close and
unlink the dlc rather than sending a DISC frame that is never
sent.This allows the dlci to be immediately reused rather than waiting
for a 20 second timeout.Signed-off-by: Peter Hurley
Tested-By: Alexander Holler
Signed-off-by: Marcel Holtmann -
Prepare for directly closing dlc if the RFCOMM session has not
yet been started; refactor the dlc disconnect logic into a separate
local function, __rfcomm_dlc_disconn(). Retains functional
equivalence.Signed-off-by: Peter Hurley
Tested-By: Alexander Holler
Signed-off-by: Marcel Holtmann -
Prepare for directly closing dlc if the RFCOMM session has not
yet been started; refactor the deferred setup test for only those
dlc states to which the test applies. Retains functional
equivalence.Signed-off-by: Peter Hurley
Tested-By: Alexander Holler
Signed-off-by: Marcel Holtmann -
Merge conditional test for BT_LISTEN session state into following
switch statement (which is functionally equivalent).Signed-off-by: Peter Hurley
Tested-By: Alexander Holler
Signed-off-by: Marcel Holtmann -
Only one session/channel combination may be in use at any one
time. However, the failure does not occur until the tty is
opened (in rfcomm_dlc_open()).Because these settings are actually bound at rfcomm device
creation (via RFCOMMCREATEDEV ioctl), validate and fail before
creating the rfcomm tty device.Signed-off-by: Peter Hurley
Tested-By: Alexander Holler
Signed-off-by: Marcel Holtmann